CVE-2024-52577 — Vulnetix

Try Vulnetix Request Demo

CVE-2024-52577 PUBLISHED CVSS 9.5 CRITICAL

In Apache Ignite versions from 2.6.0 and before 2.17.0, configured Class Serialization Filters are ignored for some Ignite endpoints. The vulnerability could be exploited if an attacker manually crafts an Ignite message containing a vulnerable object whose class is present in the Ignite server classpath and sends it to Ignite server endpoints. Deserialization of such a message by the Ignite server may result in the execution of arbitrary code on the Apache Ignite server side.

EPSS 2.58% · 85.4th percentile

Risk Scores

CVSS v4.0

9.5

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

EPSS Score

2.58%

85.4th percentile

Affected Products

Vendor	Product	Versions
Maven	org.apache.ignite:ignite-core	2.6.0
Apache Software Foundation	Apache Ignite	2.6.0
apache	ignite	2.6.0

Timeline

Feb 14, 2025 CVE Published
Feb 14, 2025 Coalition ESS Score
Feb 14, 2025 Coalition ESS Score
Feb 14, 2025 PoC Published
Feb 14, 2025 PoC Published
Feb 14, 2025 PoC Published
Feb 14, 2025 PoC Published
Feb 14, 2025 PoC Published
Feb 15, 2025 EPSS Score
Feb 17, 2025 PoC Published
Feb 19, 2025 PoC Published
Feb 19, 2025 PoC Published

References

Open in Interactive Console →